Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Suspected Yontoo infection

  • This topic is locked This topic is locked
8 replies to this topic

#1 Chefdon


  • Members
  • 46 posts
  • Local time:10:32 PM

Posted 26 April 2014 - 06:39 PM

My dad asked me to look at his laptop( Dell Inspiron running Windows XP). He has been having problems connecting to websites like Facebook. Also cannot turn off computer using the traditional shut down method.  Today I was having trouble printing from it.  


I noticed some extensions in Chrome, such as wajam. I unchecked and removed them.  Next I went to add/remove Programs and saw other programs all added the same day; mixidj v30 toolbar, and Yontoo 2.04.  I attempted to remove them, but did not prevail.  


When I click either change or remove, a window pops up for something called Tarma installer, saying setup initialization error.  Clicking the change or remove for MixiDJ only results in a box with script.



I ran Malwarebytes in safemode with networking as a precaution and nothing came up.


Also Eset Smart Security 6 is active on his computer.



any ideas or advice is greatly appreciated



*edit    After posting this I attempted logging into gmail and page wouldn't load. Also shockwave is having issues as well.

Edited by Chefdon, 26 April 2014 - 06:48 PM.

BC AdBot (Login to Remove)


#2 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:12:32 PM

Posted 27 April 2014 - 12:39 AM

Hello -


Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open eventually called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.



Next -

Download MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size. 
Click Go and copy / paste the result (Result.txt).


Now -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.


Post the log, but do not Reboot untill you run the next program -


Now -

 Please download AdwCleaner by Xplode and save to your Desktop.
* NOTE : Please close or save all work, as the computer will be Rebooted
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. 
* If you see any which you do not want removed, remove the check mark next to it. 
* Next: Click on the Clean button (only once) to remove the selected items. 
* You will receive a message telling you that all programs will be close so that the infections can be removed. 
* Click on OK, and then OK again to confirm the reboot.
* When cleaning process is complete a log (AdwCleaner[S0].txt ) of what was removed will be on your desktop. 
* Please copy and the paste this log in your next post.

* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.



After the reboot, -

Shut down your protection software now to avoid potential conflicts.
* How To Temporarily Disable Your Anti-virus
* Please download Junkware Removal Tool to your desktop.
* Run the tool by double-clicking it.
* If you are using Windows Vista, 7, or 8, right click JRT.exe and select "Run as Administrator".
* The tool will open and start scanning your system.

* Please be patient as this can take a while to complete depending on your system's specifications.
* On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
* Post the contents of JRT.txt into your next message.




I ran Malwarebytes in safemode with networking << This program is not designed to run in Safe Mode unless Chameleon version is used.

* Download Malwarebytes Anti-Malware Free Version 2.0.1, and save it to your desktop
* Double click the desktop icon, click Run, then OK
* Click Next
* Select I accept the agreement then continue to click Next then finally click Install
* A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program
* Click Finish
* If you are notified the Database is out of date click Update Now
* Threat scan + Rootkit scan
* Click the Settings tab >> Detection and Protection >> Detection Options, tick the box 'Scan for rootkits'.
* Click on the Scan tab,

* Click on Scan Now
* A Threat/Rootkit Scan will begin.
* With some infections, you may see this message box.
'Could not load DDA driver'
* Click 'Yes' to this message, to allow the driver to load after a restart.
* Allow the computer to restart. Continue with the rest of these instructions.
* When the scan is complete, click Apply Actions.
* Wait for the prompt to restart the computer to appear, then click on Yes.
(Copy to clipboard for pasting into forum replies)
* After the restart once you are back at your desktop, open MBAM once more.
* Click on the History tab >> Application Logs.

* Double click on the scan log which shows the Date and time of the scan just performed.
* Click 'Copy to Clipboard'

* Paste the contents of the clipboard into your reply.

#3 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:12:32 PM

Posted 27 April 2014 - 12:46 AM

Stage 2 of this project is to try the following -


Based on what you describe, the next thing I would have you do is to check and remove / disable browser extensions.

If you are still having issues after that, the next step is to try resetting browser settings to default.
How to reset your browser settings to default in Internet Explorer, Firefox, Google Chrome, Opera, Safari

#4 Chefdon

  • Topic Starter

  • Members
  • 46 posts
  • Local time:10:32 PM

Posted 27 April 2014 - 06:59 AM

Security Check log;


 Results of screen317's Security Check version 0.99.82  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
 AVG SafeGuard toolbar    
 ESET Smart Security    
 McAfee Uninstaller     
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 17  
 Java version out of Date!
  Adobe Flash Player Flash Player out of Date!
 Adobe Reader 7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
MiniToolBox by Farbar  Version: 23-01-2014
Ran by Don (administrator) on 27-04-2014 at 08:02:32
Running from "C:\Documents and Settings\Don\My Documents\Downloads"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ============================== 
Proxy is enabled.
ProxyServer: http=;https=;
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================       localhost
========================= IP Configuration: ================================
Dell Wireless 1390 WLAN Mini-Card = Wireless Network Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)
# ---------------------------------- 
Rkill 2.6.5 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
Program started at: 04/27/2014 12:00:32 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * C:\WINDOWS\System32\bcmwltry.exe (PID: 392) [WD-HEUR]
 * C:\WINDOWS\system32\WLTRAY.exe (PID: 1576) [WD-HEUR]
 * C:\WINDOWS\stsystra.exe (PID: 1588) [WD-HEUR]
4 proccesses terminated!
Active Proxy Server Detected
 * Proxy Disabled.
 * ProxyOverride value deleted.
 * ProxyServer value deleted.
 * AutoConfigURL value deleted.
 * Proxy settings were backed up to Registry file.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Backup Registry file created at:
 C:\Documents and Settings\Don\Desktop\rkill\rkill-04-27-2014-12-00-45.reg
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Firewall Disabled
   "EnableFirewall" = dword:00000000
Checking Windows Service Integrity: 
 * No issues found.
Searching for Missing Digital Signatures: 
 * No issues found.
Checking HOSTS File: 
 * HOSTS file entries found:       localhost
Program finished at: 04/27/2014 12:02:52 PM
Execution time: 0 hours(s), 2 minute(s), and 19 seconds(s)

Edited by Chefdon, 27 April 2014 - 11:03 AM.

#5 Chefdon

  • Topic Starter

  • Members
  • 46 posts
  • Local time:10:32 PM

Posted 27 April 2014 - 11:44 AM

I just finished running adwcleaner and did the reboot. Now I can't access any websites. There is an Internet connection and everything seems to running normal. Email works.

I tried ie and chrome, but to no avail.

I also ran Malwarebytes and cleared 170 threats. Still no dice on ie or chrome accessing sites.

*sent from my phone

Edited by Chefdon, 27 April 2014 - 06:54 PM.

#6 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:12:32 PM

Posted 27 April 2014 - 07:13 PM

Hello -

Uninstall Java from Control Panel > Add / Remove programs, as yours is very old.


There are major problems showing, and only half of the MiniToolBox report is showing.


Rather than annoy you with other programs that "may or may not" help, try to borrow a laptop and use that for a few days to post a new infected topic to the Experts.



As you need more assistance, please Fully read and follow the instructions in the Preparation Guide For Requesting Help starting at Step #6.


NOTE :If you are unable to complete any step, still post the new topic and leave a full description of your problems.


When you have done that, start a new topic and post the required logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT Here, for assistance by the Malware Response Team Experts only.


Please Use Copy / Paste for your responses, and Do Not Attach them unless your helper requests this.


If HelpBot responds to your topic, please follow his Step #1 so the team will be notified.


After posting this, please reply back in this thread with a link to the new topic so we can close this one.

#7 Chefdon

  • Topic Starter

  • Members
  • 46 posts
  • Local time:10:32 PM

Posted 28 April 2014 - 03:10 PM

I couldn't read the preparation guide.  I clicked the link and it came up with an error, saying: Sorry, we could not locate the page you are requesting to view

Edited by Chefdon, 28 April 2014 - 03:50 PM.

#8 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:12:32 PM

Posted 28 April 2014 - 04:57 PM

Preparation Guide - Start from Step #6 -



Not sure why but the link was always the same ?? New full one above, and I will check all of my other links -


Thank you for alerting me to the bad link -

Edited by noknojon, 28 April 2014 - 04:58 PM.

#9 hamluis



  • Moderator
  • 56,379 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:32 PM

Posted 30 April 2014 - 06:40 AM

MRL topic at http://www.bleepingcomputer.com/forums/t/532652/not-sure-what-i-have-but-its-a-whole-lot-of-trouble/#entry3355828 .


Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users